bug#47634: Accompany .asc and .DIGESTS keys for the ISO

[bo0od]

> Which implies that the signatures are sufficient, right?

Well this is simple question but the answer is sorta deeper, So i will 
answer with yes and no:

yes signatures are sufficient but signatures with PGP has problems, In 
the suggestion above i didnt suggest to diverse the signing methods 
(like for example using signify alongside with gpg) but just adding 
extra steps better than one (more convenience to say that everything is 
going smoothly).

To understand what im talking about i suggest to read:

Why PGP on expiration time:

https://www.whonix.org/wiki/OpenPGP#Issues_with_PGP

Discussion which might consider deprecate the usage of PGP by debian:

https://wiki.debian.org/Teams/Apt/Spec/AptSign

Whonix already using signify alongside with PGP:

https://www.whonix.org/wiki/Signify

Also there are challenges to the concept itself:

https://www.whonix.org/wiki/Verifying_Software_Signatures#Conceptual_Challenges_in_Digital_Signatures_Verification



So I hope by complete reading that you will come to the conclusion that 
either provide as much as possible from extra verification (like 
.asc,DIGESTS,SHA512...etc) or provide alternative verification along 
side with the traditional one like using signify or using something like 
signify and thats it. (i think providing both methods like pgp/signify 
is the best way which suits everybody)




> On 9 April 2021 3:34:20 am AEST, bo0od <bo0od@riseup.net> wrote:
> > This is nicely written by Qubes documentation:
> >
> > https://www.qubes-os.org/security/verifying-signatures/
>
>  From that page:
>
> > If you’ve already verified the signatures on the ISO directly, then verifying 
> > digests is not necessary.
>
> Which implies that the signatures are sufficient, right?
>
> What is the benefit to providing the key (.asc) and hashes (.DIGESTS)? The page 
> you linked provides rationale for providing and checking digital signatures, 
> but we already provide them.
>
> Carlo